IETF Logo Mail Archive

Re: [shara] port randomization (draft-ymbk-aplusp-03)

<pierre.levis@orange-ftgroup.com> Fri, 13 March 2009 08:07 UTC

Return-Path: <pierre.levis@orange-ftgroup.com>
X-Original-To: shara@core3.amsl.com
Delivered-To: shara@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D36FD3A6A7A for <shara@core3.amsl.com>; Fri, 13 Mar 2009 01:07:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.099
X-Spam-Level:
X-Spam-Status: No, score=-3.099 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QjSK3UV30iPw for <shara@core3.amsl.com>; Fri, 13 Mar 2009 01:07:52 -0700 (PDT)
Received: from p-mail1.rd.francetelecom.com (p-mail1.rd.francetelecom.com [195.101.245.15]) by core3.amsl.com (Postfix) with ESMTP id 3197D3A683D for <shara@ietf.org>; Fri, 13 Mar 2009 01:07:52 -0700 (PDT)
Received: from ftrdmel1.rd.francetelecom.fr ([10.193.117.152]) by ftrdsmtp1.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.3959); Fri, 13 Mar 2009 09:08:29 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C9A3B2.E46271FC"
Date: Fri, 13 Mar 2009 09:08:28 +0100
Message-ID: <D109C8C97C15294495117745780657AE0B6BEB6B@ftrdmel1>
In-Reply-To: <49B9752B.8030407@go6.si>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [shara] port randomization (draft-ymbk-aplusp-03)
Thread-Index: AcmjU/ZEmb3qlvYnTTKBiHhnaV4e6wAWlQrg
References: <022a01c9a2ab$fd5abf60$fd736b80@cisco.com><49B91C8B.5010906@go6.si><04a201c9a338$d5ce8f70$fd736b80@cisco.com> <49B9752B.8030407@go6.si>
From: <pierre.levis@orange-ftgroup.com>
To: <jan@go6.si>, <shara@ietf.org>
X-OriginalArrivalTime: 13 Mar 2009 08:08:29.0171 (UTC) FILETIME=[E49C1430:01C9A3B2]
Subject: Re: [shara] port randomization (draft-ymbk-aplusp-03)
X-BeenThere: shara@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Sharing of an IPv4 Address discussion list <shara.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/shara>
List-Post: <mailto:shara@ietf.org>
List-Help: <mailto:shara-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shara>, <mailto:shara-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2009 08:07:59 -0000

This is a good question.
I'm also wondering, currently how many OSs and how many NATs do implement a good randomization function?
 
More generally, in port range solutions we (I include myself) propose sophisticated functions that surely make sense.
However, I do believe that, if we want to see vendors rapidly implement port range capabilities, we have to agree on a minimum set of functionalities that makes it possible to build a viable port range solution.
I'm very convinced, for example, that it is straighforward (I mean almost no cost and without any performance lost) for all vendors to upgrade their routers to PRRs (Port Range Router), we did that on Linux only by configuration.
 
 
 
Pierre


________________________________

De : shara-bounces@ietf.org [mailto:shara-bounces@ietf.org] De la part de Jan Zorz @ go6.si
Envoyé : jeudi 12 mars 2009 21:49
À : shara@ietf.org
Objet : Re: [shara] port randomization (draft-ymbk-aplusp-03)




Dan Wing wrote: 

		How important is port randomization and how big is the impact in real 
		life,
		    

	
	Over the last 10 years there have been several attacks against
	TCP and DNS that have exploited predictable emphemeral ports.  The
	industry response to those attacks has been to (a) randomize 
	ephemeral port selection (rather than incrementing to the next 
	port number) and (b) increase the ephemeral port range used by 
	the OS.
	
	See
	http://tools.ietf.org/html/draft-ietf-tsvwg-port-randomization-02#section-1
	for more detailed answer to your question.
	  

Dan, hi. 

I'm well aware of that draft, it is also referenced in in A+P draft. Maybe I was not clear enough in my question, let me re-phrase it.
In shared IP solutions we are taking away ports from customers, we are taking away resources and everything is a compromise. 
Being said that, if we are happy with compromise, why not introduce compromise also in a dirty hack as port randomization is.
 So, can we live with randomization within for example range of 512 ports? Is this "good enough"? We are quite fond of accepting 
the compromise of shared IP as "good enough", because we have no other option, so can we accept also the compromise of less randomness in 
port randomization hack? 

I'm also curious to hear some aproximation from any HW vendor, what does allocating "one port per request" means for PRR in larger scale. I suspect this 
might very well be performance suicide, but this is only my speculation. If not - good, we can go in that direction, which I recognise as good also in several other ways.

Thank you for your time and effort, Jan Zorz

v2.8.7 | Report a Bug | By Email